Knowledge Search


×
 

How to create MAC local authentication in WLC and Web Portal authentication in SmartPass for a single SSID

  [KB34160] Show Article Properties


Summary:

This article explains how to create MAC local authentication in Juniper WLC and Web Portal authentication in SmartPass for a single SSID. The portal page will be served from SmartPass.

Solution:

Our Radius/SmartPass IP : 10.9.221.185
SSID Name: MAC-WEB
VLAN Name: wireless

  1. Sample configuration in the WLC:

    set service-profile MAC-WEB ssid-name MAC-WEB
    set service-profile MAC-WEB ssid-type clear
    set service-profile MAC-WEB web-portal-form https://10.9.221.185:444/gp2/webportal/ext/webPortalAuthLogin
    set service-profile MAC-WEB web-portal-acl webcl
    set service-profile MAC-WEB 11n short-guard-interval disable
    set service-profile MAC-WEB wpa-ie auth-dot1x disable
    set service-profile MAC-WEB rsn-ie auth-dot1x disable
    set service-profile MAC-WEB attr vlan-name wireless
  2. Map the above service-profile to a test Radio-profile:

    # set radio-profile R2 service-profile MAC-WEB
    
    set radius server SP-li address 10.9.221.185 encrypted-key 130f021c021c0138
    set server group SP1 members SP-li
    set radius dac dac address 10.9.221.185 replay-protect disable encrypted-key 05011301285c4b1b
    set enablepass password 8537402fbbb10ad489e828e043abefe48d77
    set aaa-profile mac-web
    set aaa-profile mac-web mac local
    set aaa-profile mac-web web SP1
    set authorization dynamic ssid MAC-WEB dac
    set authentication profile ssid MAC-WEB mac-web
  3. ACL configuration: 

    set security acl name webcl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
    set security acl name webcl permit ip 0.0.0.0 255.255.255.255 10.9.221.185 0.0.0.0
    set security acl name webcl deny 0.0.0.0 255.255.255.255 capture
    commit security acl webcl
  4. Add your controller's IP address as a Radius client in your SmartPass server:

  5. Now you should create a user in your SmartPass server and try radping to the Smartpass server as below:

    #  radping server SP-li request authentication user run password run
    Sending authentication request to server SP-li (10.9.221.185:1812)
    Received Access-Accept from the server in 22 ms
       Attributes:
          ms-mppe-send-key = 0xffffffce7cffffff94ffffffbefffffffc72ffffffccffffffb8ffffff9f494a6f45ffffffdaffffffc1ffffffb4
          ms-mppe-recv-key = 0xffffff9bffffffd002ffffff9b46fffffff11661ffffffa66421ffffffba705c52ffffff97
          encryption-type = 0
          service-type = 2
          session-timeout = 0
          termination-action = 0
          vlan-name = wireless
          start-date = 19/04/09-17:30
          end-date = 19/04/10-17:30
          acct-interim-interval = 1000
  6. Connect to the SSID. Then the client will prompt for the username and password.

  7. Enter the username and password that you have created in the SmartPass server.

  8. After connecting to the SSID, use the following commands:

    #sh sessions
    
    1 sessions total
    
    User Name             SessID  Type  Address              VLAN              AP/Rdo
    --------------------- ------  ----- -------------------- --------------    -------
    run                  10510* prof  10.9.221.202         wireless            9998/2
    
    9691#
    9691#
    9691# sh sess network session-id 10510 verbose
    
    1 of 1 sessions matched
    
    Name:               run
    Session ID:         10510
    Global ID:          SESS-10510-428bbd-814741-48d
    Login type:         mac-web (mac,web)
    SSID:               MAC-WEB
    IP:                 10.9.221.202
    MAC:                28:5a:eb:25:9a:d9
    AP/Radio:           9998/2
    State:              ACTIVE
    Session tag:        1
    Host name:          Vi
    Vlan name:          wireless   (AAA)
    Service type:       2          (dynamic-author)
    End date:           19/04/10-17:30 (dynamic-author)
    Acct int interval:  1000       (dynamic-author)
    Up time:            00:00:24
    
    Roaming history:
      Switch          AP/Radio     Association time  Duration
      --------------- -----------  ----------------- -------------------
      10.9.221.242    9998/2       04/09/19 18:29:01 00:00:43
    
    Session Start:      Tue Apr  9 18:29:20 2019 IST
    Last Auth Time:     Tue Apr  9 18:29:20 2019 IST
    Last Activity:      Tue Apr  9 18:29:42 2019 IST  ( <15s ago)
    Session Timeout:    82860
    Idle Time-To-Live:  177
    Protocol:           802.11 WMM
    Session CAC:        disabled
    Stats age:          0 seconds
    Radio type:         802.11a
    Last packet rate:   6.0 Mb/s
    Last packet RSSI:   -82 dBm
    Last packet SNR:    13
    Power Save:         enabled
    Voice Queue:        ACTIVE
    
                      Packets     Bytes
                      ----------  ------------
    Rx Unicast              1061         74583
    Rx Multicast              35          4568
    Rx Encrypt Err             0             0
    Tx Unicast              1372       1801232
    Rx peak A-MSDU             0             0
    Rx peak A-MPDU             0             0
    Tx peak A-MSDU             0             0
    Tx peak A-MPDU             0             0
    
    Queue       Tx Packets  Tx Dropped  Re-Transmit  Rx Dropped
    ----------  ----------  ----------  -----------  ----------
    Background           0           0            0           0
    BestEffort        1352           0          321           0
    Video                0           0            0           0
    Voice                0           0            0           0
Related Links: